• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Hylafax hfaxd Local Format String Vulnerability

Severity: MODERATE

Description:

HylaFAX is a telecommunication system for UNIX systems. HylaFAX includes a server that can recieve requests to send facsimile's from authorized hosts over a network.

The server binary, hfaxd, is installed setuid root by default and executable by everyone. 'hfaxd' contains a locally exploitable format string vulnerability involving the use of syslog().

At the command line, 'hfaxd' can be given the option to use a user-specified spooling directory. This is specified with the 'q' option. When a regular user attempts to start 'hfaxd' with this option, the argument to the 'q' option is logged to syslog. Syslog() uses *printf to format log output, and accepts a format string and a variable number of arguments as parameters. When 'hfaxd' calls syslog() to log the user execution, it includes the argument to the 'q' option in the format string. As a result, any format specifiers within that string are interpreted and acted upon by the *printf() function.

It may be possible for malicious local users to exploit this vulnerability. By specially formatting the command string and using format specifiers which cause memory to be written to ('%n'), attackers can write almost arbitrary values to arbitrary addresses. If successfully exploited, an attacker can force 'hfaxd' into executing arbitrary code.

Since 'hfaxd' is installed setuid root and executable by everybody, successful exploitation would provide root access to an attacker.

Affected Products:

• Hylafax Hylafax 4.0.0pl0
• Hylafax Hylafax 4.0.0pl1
• Hylafax Hylafax 4.0.0pl2
• Hylafax Hylafax 4.1.0-beta1
• Hylafax Hylafax 4.1.0-beta2
• Hylafax Hylafax 4.1.0-beta3
• S.u.S.E. Linux 7.0.0
• S.u.S.E. Linux 7.0.0 alpha
• S.u.S.E. Linux 7.0.0 i386
• S.u.S.E. Linux 7.0.0 ppc
• S.u.S.E. Linux 7.0.0 sparc
• S.u.S.E. Linux 7.1.0
• S.u.S.E. Linux 7.1.0 alpha
• S.u.S.E. Linux 7.1.0 ppc
• S.u.S.E. Linux 7.1.0 sparc
• S.u.S.E. Linux 7.1.0 x86
• S.u.S.E. Linux 7.2.0
• S.u.S.E. Linux 7.2.0 i386

References:

• Hylafax: Hylafax Homepage

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.